There are multiple bypass vulnerabilities which could allow an attacker to get past the passcode lock screen on Apple devices running iOS 9.
The details for four different attack scenarios were disclosed by Vulnerability Lab. It’s important to note that an attacker would need physical access to the device to pull this off; that being said, the advisory says the hacks were successfully executed on iPhone models 5, 5s, 6 and 6s as well as iPad models Mini, 1 and 2 running iOS 9 versions 9.0, 9.1 and 9.2.1.
Security researcher Benjamin Kunz Mejri, who disclosed a different method for disabling the passcode lock screen on iOS 8 and iOS 9 about a month ago, discovered the flaws. Vulnerability Lab posted a proof-of-concept video showing multiple new ways for a local attacker to bypass the passcode in iOS 9 and gain unauthorized access to the device.
“Local attackers can use Siri, the event calendar or the available clock module for an internal browser link request to the App Store that is able to bypass the customer’s passcode or fingerprint protection mechanism,” the disclosure states. The attacks exploit vulnerabilities “in App Store, Buy more Tones or Weather Channel links of the clock, event calendar and Siri user interface.”
There are four attack scenarios explained in the disclosure and demonstrated in the proof-of-concept video; each begins on an iOS device with a locked passcode.
The first scenario involves pushing the Home button to activate Siri and asking her to open a non-existing app. Siri responds that you have no such app, but she “can help you look for it on the App Store.” Tapping on the App Store button opens a “a new restricted browser window.” Either select update and open the last app, or “push twice on the Home button” for the task slide preview to appear. Swipe over to the active front screen task and that bypassed the passcode lock screen on iPhone models 5, 5s, 6 and 6s.
The second scenario is similar, first pushing on the Home button for two seconds to activate Siri and then asking to open the clock app. Switch to world clock in the bottom module and tap the image for the Weather Channel LLC network; if the weather app is deactivated by default, then a new restricted browser window will open which has App Store menu links. Click update and open the last app, or tap twice on the Home button to get to task slide preview. Swipe over to the active front screen and voila – passcode lock screen bypassed again; this reportedly works on iPhone models 5, 5s, 6 and 6s.
The third attack scenario works on iPad model 1 and 2, but basically follows the same steps as scenario two to bypass the passcode and gain unauthorized access to the device.
The fourth way to bypass the lock screen passcode involves forcing Siri to open by pushing the Home button and asking her to “open Events/Calendar app.” An attacker could tap the “Information of Weather Channel” link which is found at the bottom of the screen next to the “Tomorrow module.” If the weather app is deactivated by default, then a new restricted browser window opens with App Store links. Tap update and open the last app, or push twice on the Home button to bring up the task slide preview. Swipe over to select the active front screen and the passcode on the lock screen is bypassed.
Although the Apple security team was reportedly notified on January 4, there are no dates listed in the vulnerability disclosure timeline for Apple responding or developing a patch. Vulnerability Lab proposed the following temporary solution for users to harden device settings:
- Deactivate in the Settings menu the Siri module permanently.
- Deactivate also the Events Calendar without passcode to disable the push function of the Weather Channel LLC link.
- Deactivate in the next step the public control panel with the timer and world clock to disarm exploitation.
- Activate the weather app settings to prevent the redirect when the module is disabled by default in the events calendar.